rsyslog events
130 views
Skip to first unread message
Romain Hennebois
Apr 30, 2024, 10:44:04 AM4/30/24
to Wazuh | Mailing List
Hi team,
I would like to know if there is a way to help me with wazuh.
I have separated my index to put different lifecycle policy but I have some issues with my events.
I am currently facing some issues with rsyslog events. I have recently added proxy's events with rsyslog to retrieve these events in wazuh security events and my proxy is generating a lot of events.
After configuring rsyslog, wazuh reported this event to me:
full_log : The average number of logs between 11:00 and 12:00 is 39813. We have reached 99534.
They show up in the "wazuh-archives*" index without any rule.id or rule.level, but I want to put them in my own index called "wazuh-alerts-4.x-proxy*".
The same goes for my postfix events for my Debian mail server. My postfix events from "/var/log/maillog" show up in archives, but not in my own "wazuh-alerts-4.x-mail*" index without a rule.id or rule.level.
For more information, I'm back at work this Thursday. Waiting, I share you some configuration file to make this clearer.
Thanks in advance for your help.
I would like to know if there is a way to help me with wazuh.
I have separated my index to put different lifecycle policy but I have some issues with my events.
I am currently facing some issues with rsyslog events. I have recently added proxy's events with rsyslog to retrieve these events in wazuh security events and my proxy is generating a lot of events.
After configuring rsyslog, wazuh reported this event to me:
full_log : The average number of logs between 11:00 and 12:00 is 39813. We have reached 99534.
They show up in the "wazuh-archives*" index without any rule.id or rule.level, but I want to put them in my own index called "wazuh-alerts-4.x-proxy*".
The same goes for my postfix events for my Debian mail server. My postfix events from "/var/log/maillog" show up in archives, but not in my own "wazuh-alerts-4.x-mail*" index without a rule.id or rule.level.
I'd like to know how to deal with this because I'm lost these days and it's the last big thing to do for this project.
Is there a way to create a rule to help wazuh with these logs and put them in the right index?
Is there a way to reduce the amount of logs with anti flooding in syslog to avoid the event syslog?
For more information, I'm back at work this Thursday. Waiting, I share you some configuration file to make this clearer.
Thanks in advance for your help.
Nico Brambilla
May 2, 2024, 11:32:38 AM5/2/24
to Wazuh | Mailing List
Hi Romain , how are you? I apologize for the delay in my response.
First, you need to follow this guide and create a custom index pattern for your custom alerts:
- https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-indices.html#creating-custom-index-pattern
Then you need to create a new rule to catch the events you want to go to that new index you created (like "wazuh-alerts-4.x-proxy" ).
You can achieve this following this guide :
- https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/log-data-analysis.html#log-data-analysis (how it works the process of log data analysis ) (I recommend you to read it , so you can figure out better )
- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html (here is the decoders syntax so you will be able to extract the interesting fields of your logs)
- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html (here is the rule syntax so you will be able to extract the interesting behaviours of your logs)
First, you need to follow this guide and create a custom index pattern for your custom alerts:
- https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-indices.html#creating-custom-index-pattern
Then you need to create a new rule to catch the events you want to go to that new index you created (like "wazuh-alerts-4.x-proxy" ).
You can achieve this following this guide :
- https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/log-data-analysis.html#log-data-analysis (how it works the process of log data analysis ) (I recommend you to read it , so you can figure out better )
- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html (here is the decoders syntax so you will be able to extract the interesting fields of your logs)
- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html (here is the rule syntax so you will be able to extract the interesting behaviours of your logs)
Romain Hennebois
May 3, 2024, 4:31:31 AM5/3/24
to Wazuh | Mailing List
Thanks for your reply! I'll check it out and come back if I need any help!
Romain Hennebois
May 3, 2024, 9:16:10 AM5/3/24
to Wazuh | Mailing List
Hi Nicolas,
Sorry to bother you again, but can you help me with decoders and rules?
I've solved the postfix problem, but I'm lost with my proxy's events.
My logs are like this:
2024-05-03T15:05:04+02:00 VM-Howlite squid[11352]: 00:00:00:00:00:00 192.168.xx.xx - - 03/May/2024:15:05:04 +0200 CONNECT nf.smartscreen.microsoft.com:443 HTTP/1.1 200 10835 TCP_TUNNEL:HIER_DIRECT - - nf.smartscreen.microsoft.com 192.168.xx.xx 161 -
Best regards
Sorry to bother you again, but can you help me with decoders and rules?
I've solved the postfix problem, but I'm lost with my proxy's events.
My logs are like this:
2024-05-03T15:05:04+02:00 VM-Howlite squid[11352]: 00:00:00:00:00:00 192.168.xx.xx - - 03/May/2024:15:05:04 +0200 CONNECT nf.smartscreen.microsoft.com:443 HTTP/1.1 200 10835 TCP_TUNNEL:HIER_DIRECT - - nf.smartscreen.microsoft.com 192.168.xx.xx 161 -
Best regards
Manuel Alejandro Roldan Mella
May 6, 2024, 11:30:00 AM5/6/24
to Wazuh | Mailing List
Hi Romain,
Given the log format you provided, here’s a guide to help you out:
1. First, you need to create a decoder to extract the fields from your proxy logs:
<decoder name="squid-decoder">
<prematch>^VM-.* squid</prematch>
<regex>^(\S+)\s+(\S+)\s+(\S+):(\d+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)</regex>
<order>hostname, program, srcip, dstport, protocol, status, srcip2, bytes, method, url, extra</order>
</decoder>
Links:
- https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
- https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html
- https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-indices.html
Given the log format you provided, here’s a guide to help you out:
1. First, you need to create a decoder to extract the fields from your proxy logs:
<decoder name="squid-decoder">
<prematch>^VM-.* squid</prematch>
<regex>^(\S+)\s+(\S+)\s+(\S+):(\d+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)</regex>
<order>hostname, program, srcip, dstport, protocol, status, srcip2, bytes, method, url, extra</order>
</decoder>
2. Once you have your decoder set up, you need a rule:
<rule id="100001" level="5">
<decoded_as>squid-decoder</decoded_as>
<field name="program">^squid$</field>
<field name="status">^200$</field>
<description>Proxy access (Squid) - Successful connection.</description>
<mitre>
<id>T1071</id>
</mitre>
</rule>
3. Remember to test them. Use the /var/ossec/bin/ossec-logtest tool to verify that your logs are processed correctly.
4. Ensure your rule includes a tag to route the logs to your custom index, like so:
<rule id="100001" level="5">
<decoded_as>squid-decoder</decoded_as>
<field name="program">^squid$</field>
<field name="status">^200$</field>
<description>Proxy access (Squid) - Successful connection.</description>
<mitre>
<id>T1071</id>
</mitre>
</rule>
3. Remember to test them. Use the /var/ossec/bin/ossec-logtest tool to verify that your logs are processed correctly.
4. Ensure your rule includes a tag to route the logs to your custom index, like so:
<rule id="100001" level="5">
<decoded_as>squid-decoder</decoded_as>
<field name="program">^squid$</field>
<field name="status">^200$</field>
<description>Proxy access (Squid) - Successful connection.</description>
<mitre>
<id>T1071</id>
</mitre>
<tags>proxy_traffic</tags>
</rule>
Remember, Wazuh does not directly support modifying the routing to custom indices within the wazuh-indexer.yml file without involving additional components like Logstash. Please refer to this community thread for more info https://groups.google.com/g/wazuh/c/PNGiZaSOMsc
Please note that the provided examples are meant to guide you in setting up your decoders and rules. You may need to adjust them based on the specific requirements.
<decoded_as>squid-decoder</decoded_as>
<field name="program">^squid$</field>
<field name="status">^200$</field>
<description>Proxy access (Squid) - Successful connection.</description>
<mitre>
<id>T1071</id>
</mitre>
<tags>proxy_traffic</tags>
</rule>
Remember, Wazuh does not directly support modifying the routing to custom indices within the wazuh-indexer.yml file without involving additional components like Logstash. Please refer to this community thread for more info https://groups.google.com/g/wazuh/c/PNGiZaSOMsc
Please note that the provided examples are meant to guide you in setting up your decoders and rules. You may need to adjust them based on the specific requirements.
Links:
- https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
- https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html
- https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-indices.html
Reply all
Reply to author
Forward
0 new messages